Windows Utilities

To iterate through a directory and set "Full" permissions to the user (assuming the directory name and user name are the same)
** for /f "tokens=5" %u in ('dir h:\') do cacls H:\%u /E /T /G cehd\%u:F

Other permission related commands

  • perms
  • icacls -- set permissions for files/folders
  • icacls cdavis /grant backup:RX (doesn't propogate to subfolders)
  • icacls cdavis /grant backup:(OI)RX (will propogate to subfolders)
  • xcacls
  • To set permissions for all folders within a folder, the following process works.

Create a file of all commands using
for /f "tokens=5" %u in ('dir g:\documents_new') do echo g:\documents_new\icacls %u /grant "Backup Operators":(OI)(CI)(RX) >> list.txt
(running the icacls directly broke when the list hit the . and .. files.
Then, copy the commands into the command line to run.


Import/Export data to/from Active Directory via CSV files.

csvde.exe -f OUTPUT.csv -r "(objectClass=user)"

Excel formula to convert timestamp value in csvde output to a date: =IF(AI3>0,AI3/(8.64*10^11) - 109205,"" )

Values like the following (9.22x10^18 or 9223372036854770000) indicate non-expiring accounts


SSN Scanning

Cornel's Spider for Linux/Mac computers

Identity Finder for Windows computers

True Last Login

Unlock Account

Account Lockouts

To track down the cause of account lockouts, use the tools EventCombMT and LockoutStatus from from ALTools utility from Microsoft.

The LockoutStatus tool shows the DCs associated with lockouts for a given account.

EventCombMT gathers the event logs from the DCs to allow you to track down the offending machine causing the lock-outs.


  1. From CEHDDC09, run c:\Program Files\Windows Resource Kits\eventcombMT.exe
  2. Searches --> Built In Searches --> Account Lockouts
  3. Search

This will build the logs in c:\temp needed to find the problem computer.

You can then search through these log files to determine from where the invalid login attempts are coming.

Microsoft Network Analyzer


  • The MNA captures and parses network traffic on the local machine. (I read there is a version that can capture all traffic, but haven't pursued that.)
  • The MNA captures traffic before the firewall.

MNA Filters

Filters can be setup to allow the user to only see specific traffic (unfiltered the amount of traffic can be overwhelming).

  • There are sample filters available in the program to help build filters.
  • To capture traffic from a particular MAC address use: Ethernet.Address == 00-02-B3-C3-56-AE
  • To capture traffic related to a particular protocol use the protocol name/alias. For example, to restrict to DHCP traffic use: DHCP
  • To combine filters use AND or OR. For example to restrict capture to DHCP traffic from MAC address 00-01-02-03-04-05 use:
 DHCP AND Ethernet.Address == 00-01-02-03-04-05

Copying Files


To mirror a directory from one disk to another, preserving security, time stamps, etc.  Running this command a 2nd time on the same directory will update any change and delete any files on the target that have been removed from the source

  • robocopy d:\source_directory f:\distination_directory /MIR /copyall
  • If want to skip errors (especially when copying large folders), robocopy d:\source_directory f:\distination_directory /MIR /copyall /W:10 /R:1 (10 seconds between retries, only retry one time)


To copy a folder from one folder/disk/computer to another and keep the associated security permissions, use xcopy from the command prompt with the following command line arguments.

xcopy c:\olddocs c:\newdocs /O /X /E /H /K /Q

You can use the Xcopy command with the /O/X/E/H/K switches to copy the files and retain the existing permissions that have been specifically applied to the file or files.


These switches have the following effects:

  • /E - Copies folders and subfolders, including empty ones.
  • /H - Copies hidden and system files also.
  • /K - Copies attributes. Typically, Xcopy resets read-only attributes.
  • /O - Copies file ownership and ACL information.
  • /X - Copies file audit settings (implies /O).
  • /Q - Quiet mode (does not show file names as files are copied)
  • /C - Continues copying even if errors occur

NOTE: This procedure does not override inherited permissions. When you use the Xcopy command with the /O /X /E /H /K switches to copy the files, the following inherited permissions apply:

  • The security settings that are directly assigned to the files and folders are retained.
  • The security settings that are inherited from the source parent folder are lost.
  • The security settings of the destination folders are inherited.
  • When you move files or folders to FAT volumes, the folders and files lose their NTFS permissions because FAT volumes do not support NTFS permissions.